Privacy notice Processing of personal data, Student register for general upper secondary education

Date of publication:  2.8.2024 (Updated 7.8.2025)

City of Espoo

Tapio Erma, Director of Upper Secondary Education

Mia Westerlund, Administrative Manager, Swedish Education and Cultural Services

Email: firstname.lastname@espoo.fi

Tel. 09 816 21 (switchboard)

Principals are responsible for tasks related to the register as regards the general upper secondary schools they manage. The data subject can contact the principal to receive more detailed information about the register or their own rights.

Email: firstname.lastname@espoo.fi

Tel. +358 9 81621 (switchboard)

Helena Niemi, Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email: tietosuoja@espoo.fi

• Organisation of teaching and taking care of tasks that arise from the education provider’s relationship with the student.
• Compiling statistics for the City of Espoo. When statistics are compiled, the data is processed anonymously.
• Providing statutory information on general upper secondary schools’ student numbers for government data collection purposes.

The Growth and Learning Sector uses the following city-level systems and electronic environments in which students’ and potentially guardians’ personal data is processed:

• school administration system Primus and Kurre (includes Wilma, which is the browser-based user interface of Primus and Kurre)
• work environment Google Workspace for Education (including Classroom, Meet, Forms)
• work environment Microsoft M365 (including Teams, OneDrive, Forms)
• school library system Axiell Aurora
• digital learning materials Edustore
• digital assessment tool Digilukiseula
• solutions related to the provision of ICT services (e.g. device management). 

The purposes for which personal data related to the organisation of teaching is processed in the aforementioned systems and environments are specified in greater detail below.

Personal data may also be processed in school-specific applications used in teaching. The data subject can contact the principal to receive more detailed information about the register or their own rights.

For the purpose of organising general upper secondary education, personal data may also need to be processed outside of the aforementioned systems/environments, e.g. to support assessments conducted by teachers, organise school lunch (special diets), organise school trips or camps, produce surveys, and to perform duties laid down in the Act on Compulsory Education and carry out activities related to the provision of ICT services, such as device management. 

Personal data stored in the register may also be processed when it is necessary for the purposes of testing the information systems, for example when the education provider introduces a new information system.

Primus, Kurre and Wilma

Primus and Kurre

• Organisation of general upper secondary education (section 3 of the Act on General Upper Secondary Education).
• Taking care of tasks that arise from the education provider’s relationship with the student.
• Performance of duties laid down in the Act on Compulsory Education.
• Creation of a user identity for the study environment’s electronic services (Microsoft M365, Google Workspace for Education).
• Provision of a mobile device management service (Apple School Manager/Jamf School).
• Administration of user accounts for the Wilma user interface.
• School-specific statutory student number data is disclosed for government data collection purposes based on data in Primus (Act on the Financing of Educational and Cultural Provision, Act on Central Government Transfers to Local Government for Basic Public Services).
• Data in Primus is used to compile statistics for the City of Espoo. When statistics are compiled, the personal data is processed anonymously.
• Students’ subject and course selection data is stored in Kurre’s work plan software for the purpose of preparing work plans.

Wilma (browser-based interface of the Primus and Kurre school administration system)

Wilma can be used to carry out:

• absence recording
• student assessment
• course selection and course registration
• cooperation between general upper secondary schools and homes
• communication (communication with guardians and students, notifications to guardians and students and guardians’ messages to schools)
• surveys and their feedback
• notices concerning students relating to their school attendance and performance (steering/corrective feedback, follow-up feedback, positive feedback).
• communication of decisions related to the student if the student’s guardian has provided their consent for this.

Microsoft M365

• organisation of general upper secondary education (M365 includes electronic tools and user-produced content)
• management of M365 access rights
• enabling of interaction between users within their own groups
• use of the email services.

Google Workspace for Education

• organisation of general upper secondary education (Google Workspace includes electronic tools and user-produced content)
• management of Google Workspace access rights
• enabling of interaction between users within their own groups
• management of devices connected to the service and the software and applications used on them (e.g. Chrome, Classroom and Drive).

School library system Axiell Aurora

• Supports general upper secondary studies in the mother tongue and literature (section 11 of the Act on General Upper Secondary Education).
• The system has three components: the library system, the self-service user interface and the online library. The student data is in the library system, and the self-service user interface and the online library Axiell Arena make use of the student data entered into the system.

Digital learning materials Edustore

• The procurement channel Edustore for the procurement of digital and printed learning materials and related supporting materials and supplies.

Digital assessment tool DigiLukiseula

• DigiLukiseula is a research-based tool for assessing the pupil’s reading and writing skills and related support needs.

Equipment related to the provision of ICT services

• The device management service ensures that workstations and mobile devices used in schools and by pupils are managed in a secure manner. The service makes it possible to ensure that pupils use the devices they obtain from the school only for learning purposes. It also ensures that the devices are up-to-date and enables the controlled distribution of applications.
• The printing service is used for secure printing. It allows pupils to print documents in a secure and controlled manner.

Article 6, paragraph 1, point c of the EU’s General Data Protection Regulation: processing is necessary for compliance with a legal obligation to which the data controller is subject, i.e. for the purpose of organising general upper secondary education in accordance with the Act on General Upper Secondary Education and the performance of duties laid down in the Act on Compulsory Education. 

Special categories of personal data: According to section 6 of the Data Protection Act, Article 9(1) of the Data Protection Regulation does not apply to any processing of data that is provided by law or that derives directly from a statutory duty set out for the data controller by law. Processing of special categories of personal data is derived from duties set out for an education provider by the Act on General Upper Secondary Education or the Act on Compulsory Education.

Under section 29 of the Data Protection Act, the student’s personal identity codes are collected for identification purposes.

Data content of the systems and electronic environments

Azure AD management and logs

• Privacy notice Azure AD management and log register

Primus, Kurre and Wilma

• the student’s name, personal identity code, contact information and photograph
• the student’s AD account for the Wilma user interface and student network
• the guardians’ name and contact information and Wilma user account
• information on selections concerning subjects and syllabuses
• the students’ assessment information
• decisions concerning the student
• the student’s school history
• the student’s immigration-related information
• information concerning the student’s absences
• other information related to teaching and the organisation of teaching
• information concerning the matriculation examination
• student’s right to free education. 

Special categories of personal data processed include information on religious or philosophical conviction and possibly information related to health. 

Microsoft M365

• person’s first and last name
• user ID
• email address
• learner ID
• encrypted unique identifier
• school-related information (teaching groups, school, class, school ID)
• role: staff/student
• IP address
• information produced or added by the pupil

Content produced by the student and guardian means pictures, texts, links, videos and audio files uploaded to the system.

The user can, for example, add their own description of themselves and their area of responsibility, their mobile phone number, location information, competence information, date of birth and other areas of interest to the service, to be viewed by everyone / limited users. The user can allow the utilisation of the information content that they produce and obtain information about their networking and closest friends.

Google Workspace for Education

• the student’s name
• user account
• school
• grade and groups
• encrypted unique identifier
• information produced or added by the user.

An administrator can save information such as organisations’ names, websites, phone numbers, addresses and account suspension in the service. In addition to this, Google collects information from end users, the entering of which is based on information entered by the user themselves, e.g.: phone number, a photograph of the user, date of birth, the user’s device-specific information, such as hardware model, operating system version, individual device identifier and mobile network used, including mobile phone number. Google can connect the device identifier or phone number to a Google account.

School library system Axiell (Aurora)

• Identifiable data: Name, school, class, email address, user name, library card number, loan details, group instructor, PIN code/password
• Pseudonymised data: Object ID that acts as a customer’s technical identifier but does not include, for example, a personal identity code or other identifying information.

Digital learning materials Edustore

• User name
• Name of school
• Class
• Encrypted unique identifier
• Email address

Digital assessment tool DigiLukiseula

The following data is stored in the system maintained by the Niilo Mäki Instituutti:

• learner ID
• information added by the teacher to the service
• information added by a student
• student results from the service

How is data processed in the system? 

At the City of Espoo, the results of DigiLukiseula are entered into Primus. For the purpose of processing the assessment results, they will be combined with background information available in Primus (e.g. school, gender, mother tongue and support measures) in order to analyse and monitor the reading and writing skills of different groups.  This assessment material is pseudonymised. This data is not processed from the perspective of individual pupils, but for the purpose of analysing city-level results for the development of teaching.

Equipment related to the provision of ICT services

• Device management (workstations and mobile devices)

In workstation management, information about the devices includes the model, serial number, operating system and login information, as is usual in remote management solutions. The system also shows the name of the school or office where the device has been placed.

In mobile device management, we have adopted a model where login is not required, and therefore, there is no need to process pupils’ personal data. In mobile device management, information about the devices includes the model, serial number and operating system, as is usual in remote management solutions. The system also shows the name of the school or office where the device has been placed.

All usernames or group names are sequential alphanumeric strings, such as koulunnimi.ipad.oppilas01. This username is artificial and is not linked to a specific person but a device. It is a device-specific virtual username for shared mobile devices.

User IDs for the remote management environment are created for teachers serving as system administrators. These system administrators can add content (apps) to devices, limit the number of apps in use at each lesson, and move devices from one management group to another. In order to create the user IDs, the following information is collected on the system administrator teachers: first and last name and email address.

• Printing service

The printing service allows pupils to print documents through various devices and systems, for example a Windows computer, iPhone, iPad, Android phone or tablet, Mac, Chromebook or email. The user’s name and username and the name of the school are stored in the printing service.

Personal data processed outside of the systems and electronic environments

This personal data may include, for example, the student’s identifying and contact information, information related to assessment, and health information (related to school lunches).

• The students’ and their guardians’ basic information is updated into the Primus school administration system from Trimble Locus once a week (those who moved to, from, or within Espoo).
• The personal data of students selected in the joint application process is obtained from the Finnish National Agency for Education’s Studyinfo.
• Guardians and students supplement and update personal data using forms or in Wilma.
• The majority of the information stored in the register consists of information related to the student’s education, created in the organisation of education.

Changing general upper secondary schools or transferring to a general upper secondary school

• A student’s previous general upper secondary school may disclose to their new general upper secondary school public information necessary to the new general upper secondary school for arranging instruction for the student (section 16, subsection 3 of the Act on the Openness of Government Activities).
• Notwithstanding provisions on confidentiality, the holder of information shall have the right to provide information on a student’s state of health and functional capacity necessary for the performance of the recipient’s duties to the principal of an educational institution and those responsible for the security of the educational institution for the purpose of ensuring the safety to pursue studies as well as to a person responsible for guidance for studies for the purpose of guiding the student to other studies or support services (Act on General Upper Secondary Education, section 58, subsection 1, paragraphs 1 and 2).
• Notwithstanding provisions on confidentiality, a school has the right to obtain, from another education provider or the municipality in charge of steering and monitoring, information necessary for the performance of its educational duties laid down in the Act on Compulsory Education. Such information includes information on the student’s compulsory education, previous studies and suspension of studies. (section 23, subsection 2 of the Act on Compulsory Education) 

Electronic study environment services

Electronic study environment services are produced with the user identity of Visma’s Primus school administration system (name, encrypted unique identifier, school, class, grade, teaching groups, email address, username).

In Microsoft’s M365 service, user identity is administered by Microsoft’s Azure Ad, which is the city’s centralised user authorisation management and log register, Microsoft AD and Azure AD.

Data and documents are disclosed to the person requesting them in accordance with the Act on the Openness of Government Activities. Information and documents are public unless specifically defined as confidential under law.

The data is confidential in accordance with section 24 of the Act on the Openness of Government Activities and section 40 of the Basic Education Act.

Koski

The national centralised integration service for study rights and study records (KOSKI) collects students’ study records and study rights in a single service. The information is collected directly from the student register. (Act on the National Registers of Education Records, Qualifications and Degrees, 884/2017) 
KOSKI is part of the Studyinfo.fi service maintained by the Finnish National Agency for Education.

Changing general upper secondary schools or transferring to vocational education and training

• A student’s previous general upper secondary school may disclose to their new general upper secondary school or other educational institution public information necessary for arranging instruction for the student (section 16, subsection 3 of the Act on the Openness of Government Activities).
• Notwithstanding provisions on confidentiality, if a student transfers to education activities organised by another education provider, the former education provider must without delay forward information necessary for arranging instruction for the student to the new education provider. The information must also be provided at the request of the new education provider. (section 23, subsection 3 of the Act on Compulsory Education)
• Notwithstanding provisions on confidentiality, a party in possession of information related to a student’s health or ability to function that is essential for the recipient to carry out its tasks has the right to disclose said information to the principal of an educational institution or a corresponding person responsible for the safety of education for the purpose of ensuring the safety of education and, with the student’s consent, to a person responsible for guidance counselling for the purpose of counselling related to other studies and support services (section 58, subsection 1, paragraphs 1 and 2 of the Act on General Upper Secondary Education).
• Notwithstanding provisions on confidentiality, if a student under the age of 18 transfers to education, activities or training organised by another education provider in accordance with the Act on General Upper Secondary Education, the Act on Vocational Education and Training or the Act on Vocational Adult Education and Training, the former education provider must without delay forward information necessary for arranging instruction or training for the student to the new education provider. The information may also be provided at the request of the new education or training provider.  (section 40, subsection 4 of the Basic Education Act)

Outreach youth work

• An education provider must disclose the identifying information and contact details of a young person over compulsory education age who ceases to participate in vocational education or general upper secondary education (section 11, subsection 2, paragraph 1 of the Youth Act).
• The education provider may decide not to disclose the above-mentioned information if they – considering the information available and the young person’s situation and overall need for support – determine that the young person is not in need of services and other support (section 11, subsection 3 of the Youth Act).
• An education provider may disclose the identifying information and contact details of a young person of compulsory education age who ceases to participate in vocational education or general upper secondary education. 

Student welfare services

• The Western Uusimaa Wellbeing Services County’s school social workers and psychologists as well as school nurses have, on the basis of section 23 of the Act on Information Management in Public Administration, limited access (viewing access) to the student’s necessary information (name, personal identity code, contact information and guardians’ names and contact information). With the consent of the person in question, limited access (viewing access) may apply to the student’s absence information and lesson notes.
• The education provider may disclose the student’s necessary information in situations provided for by law, for example when the student’s situation is addressed through multi-professional cooperation with student welfare professionals (Basic Education Act, sections 16a and 17).

Transfer of data to service providers

The service providers used in the organisation of education (such as the providers of electronic environments) process students’ personal data to the extent necessary for the provision of the service. The City of Espoo is always the controller of the data.

Microsoft’s subcontractors

• List of subcontractors used by Microsoft: https://go.microsoft.com/fwlink/p/?linkid=2096306(external link, opens in a new window)

Google’s subcontractors

• List of subcontractors used by Google Workspace for Education: https://gsuite.google.com/intl/en/terms/subprocessors.html(external link, opens in a new window)

Transfer of data to other systems

• matriculation examination registration information to the matriculation examination board
• matriculation examination billing information to the City of Espoo’s JOTO system
• data specified in the Statistics Act to Statistics Finland (section 15 of the Statistics Act)
• use of the survey tool (Webropol).

Based on the specific written consent of the data subject’s / underage student’s guardian or other legal representative, data may also be transferred to other parties. Data may be disclosed if there is a specific provision on such access or on the right of such access in an Act. (section 26 of the Act on the Openness of Government Activities)

The disclosure of public information from a personal data register controlled by an authority is based on section 16, subsection 3 of the Act on the Openness of Government Activities. According to this provision, the party requesting access must have the right to record and use such data. Personal data can only be disclosed following a detailed request for data (section 13, subsection 2 of the Act on the Openness of Government Activities).

Confidential information may only be disclosed to another education provider based on the student’s / underage student’s guardian’s consent or if the disclosure of / access to the information is provided by law.

Based on section 56 of the Act on General Upper Secondary Education, personal data may be disclosed for the purpose of organising an external education evaluation (such as a PISA survey or an evaluation by the Finnish Education Evaluation Centre (FINEEC)). The personal data disclosed for this purpose include only the data necessary for organising the evaluation. Individual students are not evaluated.

Personal data is mainly processed in systems and data warehouses located within the European Union (EU) and the European Economic Area (EEA). Some of the processors of personal data or the services they provide are located outside the EU/EEA, and in these cases personal data is also transferred outside the area. The data in the systems is transferred outside the EU/EEA, for example, in situations where the IT system or cloud service used for the processing of personal data is located on a server outside the EU/EEA, such as a server of a service provider based in the US.

In situations where personal data is transferred outside the EU/EEA, safeguards are established to maintain the high level of data protection required by European legislation even after the personal data has been transferred. These safeguards include an adequacy decision by the European Commission and a commitment to the required safeguards, such as the EU-US Data Privacy Framework, by the recipient of personal data. Required safeguards may also include the use of standard contractual clauses adopted by the European Commission as part of agreements concluded with personal data processors, in addition to which the processors are required to observe appropriate technical and administrative safeguards.

Primus, Kurre and Wilma

Data is not transferred outside the EU or the EEA.

Library system Axiell Aurora

Data is not transferred outside the EU or the EEA.

Digital learning materials Edustore

Data is not transferred outside the EU or the EEA.

Digital assessment tool DigiLukiseula

Data is not transferred outside the EU or the EEA.

Electronic study environment services

• Microsoft M365

Personal data is transferred outside the European Union or the European Economic Area. Microsoft Corporation is a US company involved in the EU-US Data Privacy 

Microsoft Professional Services’ personal data processing agreement:

https://www.microsoft.com/licensing/docs/view/Professional-Services-Data-Protection-Addendum-DPA(external link, opens in a new window)

• Google Workspace for Education

Personal data is transferred outside the EU or the EEA. Google LLC is a US company involved in the EU-US Data Privacy Framework. 

Standard contractual clauses approved by the European Commission:

https://gsuite.google.com/terms/mcc_terms.html(external link, opens in a new window), and Google’s amendment:

https://gsuite.google.com/terms/dpa_terms.html(external link, opens in a new window)

Workstation management

Data is not transferred outside the EU or the EEA.

Mobile device management

• Apple School Manager

Personal data is transferred outside the EU or the EEA. Apple Inc. is a US company that is not involved in the EU-US Data Privacy Framework.

The terms of Apple’s services, including standard contractual clauses approved by the European Commission, are available on Apple’s website.

https://www.apple.com/legal/education/data-transfer-agreements/datatransfer-eu-en.pdf(external link, opens in a new window)

• Jamf School

Personal data is transferred outside the EU or the EEA. Jamf Software, LLC is a US company involved in the EU-US Data Privacy Framework. 

The service used by Espoo is provided through a data centre in Germany (eu-central-1). 

Information about the locations of the Jamf cloud service: https://learn.jamf.com/en-US/bundle/technical-articles/page/Jamf_Cloud_Hosted_Data_Region_Information.html(external link, opens in a new window). 

Information about Jamf’s information security: https://learn.jamf.com/en-US/bundle/jamf-school-security-overview/page/Jamf_School.html(external link, opens in a new window)

Data is stored and destroyed in line with the City of Espoo’s records management plan and the applicable provisions and regulations issued by the National Archives of Finland.

Personal data is stored in the student register for one (1) year from the end of the use of the service. Statutory obligations regarding the storage of data are taken into account in the deletion of the data. The information and documents in electronic environments are stored and archived in the online services in accordance with the Growth and Learning Sector’s records management plan for one year after the end of compulsory education.

Data protection legislation guarantees various rights for the data subject in relation to the processing of personal data. Requests concerning the data subject’s rights can be submitted to the city’s Data Protection Officer or the contact person of the register using the above-mentioned contact details.

If necessary, the controller may ask the data subject to provide additional information to fulfil the request.

The controller must respond to a request concerning the data subject’s rights without undue delay and no later than one month after receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are, as a rule, free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her is being processed as well as the right to access the data and to obtain a copy of the data. However, the provision of data shall not adversely affect the rights or freedoms of others.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In addition, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

Under certain conditions, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her. For example, if the processing of personal data is based on consent and the data subject withdraws his or her consent and there is no other legal ground for the processing, the data subject shall have the right to have his or her data erased. However, the data subject shall not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data subject shall have the right to request the restriction of processing in certain situations. For example, if the accuracy of the personal data is contested by the data subject, processing is restricted for a period enabling the controller to verify the accuracy of the personal data. The right also applies if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a situation, the controller may only continue processing the personal data if the controller demonstrates compelling legitimate grounds for the processing. Processing may also continue if it is necessary for the establishment, exercise or defence of legal claims.

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes data protection legislation. The data subject can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)

Change history: 

7 August 2025: Mobile device management as a processing method was changed and extended to include the provision of all ICT services. Added the digital assessment tool DigiLukiseula.